cURL / Mailing Lists / curl-library / Single Mail


Re: Request to review the code changes for NTLMv2 Support in Curl

From: Prash Dush <>
Date: Tue, 28 Jan 2014 23:47:13 +0530

Hi Steve/Daniel,

Thank you for your efforts in making the NTLMv2 patch ready to merge after
the pending release.
Wanted to get a confirmation from you if NTLMv2 support will be released
with libcurl 7.36.0, or do we see it coming in a later release ?


On Sun, Jan 26, 2014 at 4:05 AM, Daniel Stenberg <> wrote:

> On Sat, 25 Jan 2014, Steve Holme wrote:
> I have these patches in a local branch here and am ready to apply them
>> after the pending release - unless anyone else has any other comments.
>> Note: I would recommend we combine some of the first 6 patches into a
>> single patch as I don't think there is any need to show the copyright, and
>> other minor corrections as separate commits but I wanted to list them
>> individually here so everyone can see the differences.
> Thanks for grabbing the ball. I've glanced over your patches and they look
> fine and since I know you've looked at them at least slightly closer than
> me I'm confident enough they are in a good enough shape to get merged for
> testing pretty much immediately after 7.35.0.
> Option 1:
>> Update the generated Type 3 message in the existing test harnesses to
>> contain the extra NTLMv2 information.
> As long as we know the updated stuff also works fine with NTLMv1 servers I
> think this is fine. But...
> a) Add support for USE_NTLM_V2 so that developers can turn v2 support on
>> or
>> off
> ... I think there may be reasons to allow applications at least to select
> NTLMv2 only. The reason for this being that NTLM is deemed insecure, or at
> least less secure than NTLMv2. For Firefox there's a discussion about
> disabling NTLMv1 completely:
> b) Add "NTLMv2" as a string in the curl features list - as displayed with
>> "curl --version"
> But will there be any version/build of libcurl that supports NTLM but not
> NTLMv2 once we add this support?
> As a timestamp is included in the NTLMv2 information - the code will need
>> a minor tweak so that this timestamp is consistent in DEBUG builds and
>> doesn't vary - similar to what I have done with the MD5-DIGEST tests [4]
>> for IMAP, POP3 and SMTP. This will mean that the same timestamp is used
>> under debug builds so that the message generation is consistent.
> Right, we already add the hostname in NTLM using that method so doing it
> for yet another field shouldn't be a biggie.
> --
> /
> -------------------------------------------------------------------
> List admin:
> Etiquette:

List admin:
Received on 2014-01-28